From owner-freebsd-security@FreeBSD.ORG Sat Jun 25 11:06:32 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BAE0D16A41C for ; Sat, 25 Jun 2005 11:06:32 +0000 (GMT) (envelope-from gemini@geminix.org) Received: from gen129.n001.c02.escapebox.net (gen129.n001.c02.escapebox.net [213.73.91.129]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7E6CB43D49 for ; Sat, 25 Jun 2005 11:06:32 +0000 (GMT) (envelope-from gemini@geminix.org) Message-ID: <42BD3AB4.2030209@geminix.org> Date: Sat, 25 Jun 2005 13:06:28 +0200 From: Uwe Doering Organization: Private UNIX Site User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.7.8) Gecko/20050526 X-Accept-Language: en-us, en MIME-Version: 1.0 To: Richard Coleman References: <42BC5054.908@criticalmagic.com> In-Reply-To: <42BC5054.908@criticalmagic.com> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Received: from gemini by geminix.org with esmtpsa (TLSv1:AES256-SHA:256) (Exim 4.51 (FreeBSD)) id 1Dm8UY-0002Vd-Am; Sat, 25 Jun 2005 13:06:30 +0200 Cc: freebsd-security@freebsd.org Subject: Re: Any status on timestamp vulnerability fix for 4.X? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 25 Jun 2005 11:06:32 -0000 Richard Coleman wrote: > Any information on when (or if) the following timestamp vulnerability > will be fixed for 4.X? Any information would be appreciated. > > http://www.kb.cert.org/vuls/id/637934 FYI, the fix for RELENG_5 applies to RELENG_4 as is (apart from the CVS version header, of course): http://www.freebsd.org/cgi/cvsweb.cgi/src/sys/netinet/tcp_input.c.diff?r1=1.252.2.15&r2=1.252.2.16&f=u After verifying its semantic correctness for RELENG_4 we've been running the patch for a couple of weeks now with no ill effects. I'm posting this also as an encouragement for committers to go ahead and do the MFC. It's low hanging fruit. Uwe -- Uwe Doering | EscapeBox - Managed On-Demand UNIX Servers gemini@geminix.org | http://www.escapebox.net